wpa_supplicant 2.4 problems in dbus mode with pkcs11 engine

dennis knorr dennis.knorr at gmx.net
Fri Nov 3 16:02:05 PDT 2017 

Hi,
we currently work at the city of munich with wpa_supplicant 2.4 for
802.1x authentication for ubuntu clients and happened to spot a few
problems. We currently evaluate it further, but wanted to notice the
wpa_supplicant community of it and wanted to know if anyone else
stumbled on it.

We want to do 802.1x over wire and air with certificates in a
pkcs11-container (softhsm2 for example) and use that via wpa_supplicant
and networkmanager. currently the configuration to wpa_supplicant is
given to networkmanager over dbus and our plattform is kubuntu 17.10.

the client architecture looks like this:
{x509 privatekey}--[imported]-->softhsm2
                                   ^
                                   |
                                p11-kit
                                   ^
                                   |
                           [pkcs11-interface]
                                   |
                                   |
networkmanager<--[dbus]-->wpa_supplicant<--[Air|Cable]-->RadiusServer

The problems are:
1. Client crt cannot use pkcs11 uri.
If a complete certificate is put into the pkcs11-container and called
via its pkcs11-uri, wpa_supplicant is not able to retrieve the
certificate and use it for 802.1x or WPA Enterprise. It only works, if
only the private key is put into the pkcs11-container and this key is
called by wpa_supplicant via pkcs11. It looks like wpa_supplicant does
not even ask p11-kit for an engine to query the pkcs11-uri for a
certificate.

2. After first successful use (private key query), the pkcs11 engine
usage is broken for second usage.
The first usage of the private key pkcs11 uri with wpa_supplicant for
the authentication to the (802.1x)network is successful. When the
wpa_supplicant wants to reauthenticate to the network and is not
restarted (in dbus-mode), wpa_supplicants writes to syslog:

###
Okt 30 06:09:21 tb8021x wpa_supplicant[923]: ENGINE: engine init failed
(engine: pkcs11) [error:00000000:lib(0):func(0):reason(0)]
Okt 30 06:09:21 tb8021x wpa_supplicant[923]: p11-kit: softhsm2: module
failed to initialize, skipping: The module has already been initialized
Okt 30 06:09:21 tb8021x wpa_supplicant[923]: Failed to enumerate slots
###

After the wpasupplicant line there's the softhsm2 line, which shows the
pkcs11 system cannot be initialized because it is ALREADY initialized.
therefore we have the theory the the pkcs11 engine is not cleaned up
after first use or not (correctly) reinitialized in the current context.

The preparation for reproducing our stuff would look like this:

* Server preparation: Radius with eap and x509 CA and server crt.
** Managed switch with 802.1X support and configured to use radius  server.
** Wifi accesspoint with wpa enterprise configured to use radius server.
* Client preparation: kde5 + networkmanager + plasma-nm + wpa_supplicant
2.4 + openssl 1.0.x + libengine-pkcs11-openssl + softhsm2 + p11-kit +
p11tool (Kubuntu 17.10)
** x509 client crt matching CA. Radius matching files stored: client crt
+ private key + CA.
** Softhsm2 storage token for client crt and private key with root
access (via global config softhsm2).
** p11-kit module for softhsm2 configured.
** openssl pkcs11 library installed and linked correctly to be able to
load from openssl.
** openssl should be able to use softhsm2 via pkcs11 engine lib.


Our Client networkmanager profiles are as shown:
1.) LAN 802.1x config with files only (CA + client cert + private key)
2.) LAN 802.1x config with pkcs11 for private key only
3.) LAN 802.1x config with pkcs11 for client cert only
4.) LAN 802.1x config with pkcs11 for client cert and private key

5.) WIFI WPA Enterprise config with files only (CA + client cert +
private key)
6.) WIFI WPA Enterprise config with pkcs11 for private key only
7.) WIFI WPA Enterprise config with pkcs11 for client cert only
8.) WIFI WPA Enterprise config with pkcs11 for client cert and private key

Results:
Working config without any limitations: 1 + 5
Working config after wpa_supplicant ist restarted: 2 + 6
Not working configs: 3+4+7+8

We thought this would be a common setup and expected it to work, but it
looks like, there are some bugs in the combination
pkcs11+wpa_supplicant+networkmanager. If you need/want, we could provide
some initializiation scripts for the client side, which set up the
client configuration. Server configuration would take a bit long, since
we do not maintain the server side (network admin guys with cisco stuff)
or how to "emulate" 802.1x-over-wire/air-authentication with virtual
machines for reproduction for example if anyone is interested.

We will further work on this but wanted to know whether some of you
experienced this or have any hints for us. We would be also glad if this
starts a discussion about the interaction of the different components,
since this is not very transparent for newcomers.

Yours,
the limux guys.

More information about the Hostap mailing list